Identity security firm SailPoint disclosed a GitHub repository breach that occurred on April 20 due to a third-party application vulnerability.

Identity security firm SailPoint disclosed a GitHub repository breach that occurred on April 20 due to a third-party application vulnerability. The company confirmed that no customer data or production environments were impacted by the incident.
https://securityaffairs.com/191997/data-breach/identity-security-firm-sailpoint-discloses-github-repository-breach.html

The cybercrime group TeamPCP compromised the Checkmarx Jenkins AST plugin by exploiting credentials obtained from a previous supply chain attack. Checkmarx has since released a patched version of the plugin to address the malicious code and mitigate the security breach.
https://thehackernews.com/2026/05/teampcp-compromises-checkmarx-jenkins.html

Apple's iOS 26.5 and iPadOS 26.5 updates resolve over 50 security vulnerabilities, including issues related to WebKit, kernel performance, and system applications. Users are encouraged to install these patches promptly to protect their devices from potential exploits.
https://www.macrumors.com/2026/05/11/ios-26-5-security-fixes/

A new malware named ZiChatBot is exploiting Zulip's REST APIs for its command and control server, making it harder to detect. This malware was distributed through malicious Python packages on PyPI and targets both Windows and Linux systems.
https://cybersecuritynews.com/new-zichatbot-malware-uses-zulip-rest-apis/

An unknown threat group abused Anthropic's Claude AI to aid in a sophisticated takeover attempt against a Mexican water utility, highlighting how AI tools can empower untrained actors. The incident, part of a larger campaign targeting Mexican government agencies, saw attackers use Claude and OpenAI's GPT-4.1 AP for reconnaissance, exploit customization, and privilege escalation, though the OT system breach ultimately failed.
https://www.cybersecuritydive.com/news/anthropics-claude-compromise-mexican-water-utility/819710/

Cold Relay is a single-binary Active Directory security assessment tool that collects Windows authentication evidence across various protocols and services to build a deterministic attack graph. It provides findings with validation status, evidence, blockers, and next actions, differentiating between proven facts and theoretical possibilities.
https://github.com/thechosenone-shall-prevail/cold-relay

A recent study found that 60% of MD5 password hashes can be cracked in under an hour using a single GPU, with 48% cracked in under a minute, highlighting the vulnerability of passwords protected only by fast hashing algorithms. Experts emphasize that passwords should be part of a broader identity-based security strategy, including multi-factor authentication and zero trust models, rather than relied upon as the sole security measure.
https://www.theregister.com/security/2026/05/07/60-of-md5-password-hashes-are-crackable-in-under-an-hour/5234954

A Canvas hack by ransomware group ShinyHunters has resulted in the theft of billions of messages and the data of over 275 million individuals, including student names, email addresses, and student ID numbers. This incident, described as the biggest student data privacy disaster in history, highlights the risks of centralizing sensitive educational data in a single platform, potentially enabling more targeted phishing attacks and exposing deeply personal student information.
https://www.404media.co/the-biggest-student-data-privacy-disaster-in-history-canvas-hack-shows-the-danger-of-centralized-edtech/

Quacc++ is an automated bug hunting tool that combines grep.app for searching public GitHub repositories with Semgrep for static code analysis to discover vulnerabilities. It scans repositories for specific patterns, downloads matching code, and uses Semgrep with custom rules to precisely identify security flaws.
https://www.somersetrecon.com/blog/2026/4/27/quacc-automated-open-source-vulnerability-discovery

Cybersecurity firm Trellix has reported a security incident where hackers gained unauthorized access to a portion of its source code repository. While investigations are ongoing, Trellix has found no evidence of exploitation or compromise of customer-facing products.
https://cybersecuritynews.com/trellix-source-code-breach/

A massive phishing operation has been discovered that leverages Google AppSheet and Google Drive to bypass security measures and steal Facebook Business accounts, affecting over 30,000 users globally. The campaign, linked to Vietnam, employs various technical methods, including Netlify clones, reward traps, and live control panels, to trick users into divulging sensitive information like passwords and two-factor authentication codes.
https://hackread.com/google-appsheet-facebook-accountdumpling-scam/

The increasing speed, scale, and automation of cyberattacks due to artificial intelligence make it challenging for organizations to prioritize emerging threats. Security leaders must adapt their strategies to address these amplified threats, focusing on visibility, ownership, and aligning technical risks with business impact.
https://www.bankinfosecurity.com/interviews/emerging-threats-are-harder-to-prioritize-in-ai-era-i-5542

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-31431, a Linux root access bug also known as Copy Fail, to its Known Exploited Vulnerabilities catalog due to active exploitation. This privilege escalation flaw allows unprivileged local users to gain root access by corrupting the kernel's page cache, posing a significant risk to cloud and containerized environments.
https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html

The Pentagon has partnered with seven tech companies, including Google, Microsoft, and Nvidia, to integrate their artificial intelligence capabilities into classified military networks. This initiative aims to enhance warfighter decision-making and operational efficiency, though concerns about AI ethics, privacy, and the level of human oversight remain subjects of ongoing discussion and development.
https://www.securityweek.com/us-military-reaches-deals-with-7-tech-companies-to-use-their-ai-on-classified-systems/

Toronto police have arrested three men and seized SMS blasters, a new type of cybercrime weapon not previously seen in Canada. These devices mimic legitimate cell towers to send fraudulent text messages, leading to smishing and potential interference with emergency services.
https://nationalpost.com/news/canada/toronto-police-seize-sms-blasters-cybercrime-canada

The AI model Mythos, developed by Anthropic and considered too dangerous to release widely, was reportedly leaked by users who guessed its location, raising cybersecurity concerns. This incident highlights the growing threat of AI-powered cyberattacks and the need for defenders to adapt to a rapidly evolving landscape.
https://fortune.com/2026/04/23/anthropic-mythos-leak-dario-amodei-ceo-cybersecurity-hackers-exploits-ai/

UK moves to ban smoking for everyone born after 2008

The UK has passed a generational smoking ban, meaning individuals born after January 1, 2009, will never legally be able to purchase tobacco products. This landmark public health intervention, which also tightens regulations on vaping, will apply across England, Scotland, Wales, and Northern Ireland. https://www.dw.com/en/uk-moves-to-ban-smoking-for-everyone-born-after-2008/a-76884561

The UK has passed a generational smoking ban, meaning individuals born after January 1, 2009, will never legally be able to purchase tobacco products. This landmark public health intervention, which also tightens regulations on vaping, will apply across England, Scotland, Wales, and Northern Ireland.
https://www.dw.com/en/uk-moves-to-ban-smoking-for-everyone-born-after-2008/a-76884561

The New World Screwworm, a parasitic fly that eats animal and human flesh, has been detected 90 miles from the U.S. border in Mexico, posing an imminent threat to Texas ranchers, livestock, and the food supply. The Texas Department of Agriculture is urging producers to be on high alert, check their animals for signs of infestation like moving maggots or foul-smelling wounds, and report any suspected cases immediately to prevent a crisis.
https://www.kalb.com/2026/04/14/new-world-screwworm-detected-about-90-miles-united-states/